Run Facebook Infer on PRs with GitHub Actions

.github/workflows/infer.yml

@@ -0,0 +1,90 @@
+name: Facebook Infer static analysis
+
+on:
+  workflow_call:
+    inputs:
+      os:
+        required: true
+        type: string
+      jdk_distro:
+        required: true
+        type: string
+      jdk_version:
+        required: true
+        type: string
+      wolfssl_configure:
+        required: true
+        type: string
+
+jobs:
+  build_wolfssljni:
+    runs-on: ${{ inputs.os }}
+    steps:
+      - uses: actions/checkout@v4
+
+      # Download Facebook Infer
+      - name: Download Infer
+        run: wget https://github.com/facebook/infer/releases/download/v1.1.0/infer-linux64-v1.1.0.tar.xz
+      - name: Extract Infer
+        run: tar -xvf infer-linux64-v1.1.0.tar.xz
+      - name: Symlink Infer
+        run: ln -s "$GITHUB_WORKSPACE/infer-linux64-v1.1.0/bin/infer" /usr/local/bin/infer
+      - name: Test Infer get version
+        run: infer --version
+
+      # Download Junit JARs
+      - name: Download junit-4.13.2.jar
+        run: wget --directory-prefix=$GITHUB_WORKSPACE/junit https://repo1.maven.org/maven2/junit/junit/4.13.2/junit-4.13.2.jar
+      - name: Download hamcrest-all-1.3.jar
+        run: wget --directory-prefix=$GITHUB_WORKSPACE/junit https://repo1.maven.org/maven2/org/hamcrest/hamcrest-all/1.3/hamcrest-all-1.3.jar
+
+      # Build native wolfSSL
+      - name: Build native wolfSSL
+        uses: wolfSSL/actions-build-autotools-project@v1
+        with:
+          repository: wolfSSL/wolfssl
+          ref: master
+          path: wolfssl
+          configure: ${{ inputs.wolfssl_configure }}
+          check: false
+          install: true
+
+      # Setup Java
+      - name: Setup java
+        uses: actions/setup-java@v4
+        with:
+          distribution: ${{ inputs.jdk_distro }}
+          java-version: ${{ inputs.jdk_version }}
+
+      - name: Set JUNIT_HOME
+        run: |
+          echo "JUNIT_HOME=$GITHUB_WORKSPACE/junit" >> "$GITHUB_ENV"
+      - name: Set LD_LIBRARY_PATH
+        run: |
+          echo "LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$GITHUB_WORKSPACE/build-dir/lib" >> "$GITHUB_ENV"
+
+      # Build wolfssljni JNI library (libwolfssljni.so)
+      - name: Build JNI library
+        run: ./java.sh $GITHUB_WORKSPACE/build-dir
+
+      # Build wolfssljni JAR (wolfssljni.jar)
+      - name: Build JAR (ant)
+        run: ant
+
+      # Run ant tests
+      - name: Run Java tests (ant test)
+        run: ant test
+
+      - name: Show logs on failure
+        if: failure() || cancelled()
+        run: |
+          cat build/reports/*.txt
+
+      # Run Facebook Infer
+      - name: Run Facebook Infer
+        run: ./scripts/infer.sh
+
+      - name: Shows Infer report on failure
+        if: failure()
+        run: cat infer-out/report.txt
+

.github/workflows/main.yml

@@ -98,3 +98,21 @@ jobs:
       jdk_distro: "zulu"
       jdk_version: ${{ matrix.jdk_version }}
       wolfssl_configure: ${{ matrix.wolfssl_configure }}
+
+  # ------------------ Facebook Infer static analysis -------------------
+  # Run Facebook infer over PR code, only running on Linux with one
+  # JDK/version for now.
+  fb-infer:
+    strategy:
+      matrix:
+        os: [ 'ubuntu-latest' ]
+        jdk_version: [ '11' ]
+        wolfssl_configure: [ '--enable-jni --enable-all' ]
+    name: Facebook Infer (${{ matrix.os }} Zulu JDK ${{ matrix.jdk_version }}, ${{ matrix.wolfssl_configure }})
+    uses: ./.github/workflows/infer.yml
+    with:
+      os: ${{ matrix.os }}
+      jdk_distro: "zulu"
+      jdk_version: ${{ matrix.jdk_version }}
+      wolfssl_configure: ${{ matrix.wolfssl_configure }}
+

scripts/infer.sh

@@ -13,10 +13,26 @@
 #    $ cd wolfssljni
 #    $ ./scripts/infer.sh
 #
-# wolfSSL Inc, May 2023
+# By default the generated output and logs from Infer will be deleted. To keep
+# them, pass 'keep' to the script:
 #
+#    $ ./scripts/infer.sh keep
+#
+# wolfSSL Inc, April 2024
+#
+#
+
+# These variables may be overridden on the command line.
+KEEP="${KEEP:-no}"
 
-infer run -- javac \
+while [ "$1" ]; do
+  if [ "$1" = 'keep' ]; then
+      KEEP='yes';
+  fi
+  shift
+done
+
+infer --fail-on-issue run -- javac \
     src/java/com/wolfssl/WolfSSL.java \
     src/java/com/wolfssl/WolfSSLALPNSelectCallback.java \
     src/java/com/wolfssl/WolfSSLCertManager.java \
@@ -78,9 +94,18 @@ infer run -- javac \
     src/java/com/wolfssl/provider/jsse/WolfSSLX509X.java \
     src/java/com/wolfssl/provider/jsse/adapter/WolfSSLJDK8Helper.java
 
+RETVAL=$?
+
 # remove compiled class files
 rm -r ./com
 
 # remove infer out directory (comment this out to inspect logs if needed)
-rm -r ./infer-out
+if [ "$RETVAL" == '0' ] && [ "$KEEP" == 'no' ]; then
+    rm -r ./infer-out
+fi
+
+if [ "$RETVAL" == '2' ]; then
+    # GitHub Actions expects return of 1 to mark step as failure
+    exit 1
+fi
 

src/java/com/wolfssl/provider/jsse/WolfSSLEngineHelper.java

@@ -204,6 +204,11 @@ private String GetKeyAndCertChainAlias(X509KeyManager km, Socket sock,
             return null;
         }
 
+        /* If javaVersion is null, set to empty string */
+        if (javaVersion == null) {
+            javaVersion = "";
+        }
+
         /* We only load keys from algorithms enabled in native wolfSSL,
          * and in the priority order of ECC first, then RSA. JDK 1.7.0_201
          * and 1.7.0_171 have a bug that causes PrivateKey.getEncoded() to